This article was published in Law360 on June 17, 2019. © Copyright 2019, Portfolio Media, Inc., publisher of Law360. It is republished here with permission. The article was also referenced in Law360 on August 5, 2019.
With cybercrime on the rise, organizations have increasingly found themselves subject to litigation or regulatory investigations related to breaches. Documents and information created before breaches, such as security assessments or audits or forensic investigations conducted in the wake of a breach may be subject to discovery in subsequent litigation or investigation.
The Sedona Conference1 has published for public comment a commentary on the application of the attorney-client privilege and work-product protection to information generated in the cybersecurity context.
Sedona concludes that the current approach increases the cost and complexity of cybersecurity by encouraging the involvement of counsel in areas best served by IT experts, while frustrating investigation and remediation of breaches because entities are unwilling to share their investigations with authorities for fear of waiving privilege protection elsewhere.
Sedona offers proposed reforms — a qualified standalone cybersecurity privilege and a statutory selective waiver — in order to better align incentives toward effective and efficient creation and use of cybersecurity information.
In its thoughtful analysis, Sedona highlights an important and growing problem facing every organization — the uncertainty as to whether certain materials will be protected from discovery. That uncertainty, of course, is not limited to cybersecurity information, but extends to other categories of discovery. Does it make sense, then, to single out a single category for reform?
A policy encouraging parties to share investigative reports with agencies, whether regarding cybersecurity information or security or compliance issues, without running the risk of waiver of privilege could have universal benefit. Further, practical considerations of how a novel privilege might be applied in operation cautions restraint as it may multiply, rather than reduce, confusion and inconsistent results.
Sedona’s Survey of the Application of Attorney-Client Privilege to Cybersecurity Information
After reviewing the general framework of attorney-client privilege and the work-product protection, and the corollary principle of waiver, Sedona discusses the major cases that have specifically addressed attorney-client privilege and the work-product protection in the context of cybersecurity information created before a security breach and after a breach.
Application to Cybersecurity Information Created Before a Breach
Cybersecurity information created before a breach may include technical inventories, configuration reviews, vulnerability scans, penetration tests or security-risk assessments. These materials are technical in nature and generally are performed by IT staff or consultants. Counsel may be involved if they are advising the company on its legal obligations, but this work may be part of a corporation’s normal IT governance.
Similarly, policies and procedures addressing cybersecurity information, security exercises and internal audit reports may be conducted without involvement of counsel. Based on the general attorney-client privilege and work-product protection principles, whether or not preincident cybersecurity information is privileged will depend on a number of factors — the first of which is whether counsel was involved. Tests or evaluations performed by IT staff or security consultants that do not involve a lawyer are less likely to be privileged.
Universally, a communication must be made for the predominant purpose of seeking legal advice to be privileged. Technical inventories and tests performed before a breach are predominantly performed for security and business purposes, rather than to seek legal advice, and are unlikely to be privileged. But when documents relate to legal concerns rather than the business itself, courts have found these documents to be privileged.
For example, in In re Denture Cream Products Liability Litigation,2 the court considered the plaintiffs’ challenges to the defendants’ withholding of documents relating to product labeling on privilege grounds. Reviewing the documents in camera, the court found that the documents at issue were not concerned with business or marketing decisions but rather with legal concerns around labeling and potential litigation and so were properly withheld.
Internal audit reports prepared to provide insight to counsel have been held to be privileged, but other courts have found that internal data security reports prepared before any breach were part of business functions and not privileged — even when counsel supervised the reports and later relied on them to provide legal advice.
For example, the court in In re Premera Blue Cross Customer Data Security Breach Litigation (Premera I)3 found that many of the documents Premera sought to withhold as privileged would have been prepared regardless of any breach. Before the breach, Premera had retained the services of a third-party vendor to review its data management system.
Once the breach was discovered, Premera retained outside counsel, who entered into an amended statement of work with the vendor, requiring the vendor to report to counsel. The court rejected Premera’s argument that all work done after that amendment was privileged, noting that the scope of work being performed by the vendor remained unchanged. The court did hold, however, that draft reports sent to counsel for review were privileged.4
Application to Cybersecurity Information Created Post-Security Breach
Sedona suggests that the existing framework of attorney-client privilege and work-product protection may provide more protection to cybersecurity information created after a breach incident, assuming legal counsel is involved. The decisions of the few courts that have addressed the application of attorney-client privilege and work-product protection to cybersecurity information generated after a breach incident turn on several pivotal facts.
To determine whether the communications at issue were made for the predominant purpose of seeking legal advice, the court in In re Target Corp. Customer Data Security Breach Litigation5 considered whether the investigation and report would have been conducted in the absence of potential litigation.
In response to the subject data breach, Target retained outside counsel who recommended that Target establish a data breach task force to coordinate activities on behalf of Target’s counsel to provide legal advice. Target’s outside counsel retained Verizon Business Network Services Inc. to “enable counsel to provide legal advice to Target.”6 Another separate Verizon team was retained to conduct a separate investigation into the data breach of behalf of several credit card brands. Target only claimed privilege and work-product protection for the correspondence with and report from the data breach task force and the Verizon team retained by counsel.
The court noted the two-track investigation and held that Target demonstrated that the work of the data breach task force was focused on informing counsel about the breach so that the attorneys could provide legal advice and prepare to defend the company, not for remediation of the breach.7
In contrast, however, the court in Premera I rejected Premera’s argument that all work done subsequent to the amended statement of work was privileged, noting that the scope of work being performed by the vendor remained unchanged, distinguishing In re Target Corp. Customer Data Security Breach Litigation and In re Experian Data Breach Litigation.8 Accordingly, the few cases that have explicitly addressed the attorney-client privilege/work-product issue in cybersecurity information have been very fact-specific and not wholly consistent, turning on the courts’ view of who retained the vendor, the vendor’s scope of work and the nature of the work.
Application of the same principles has led to differing results in non-cybersecurity information situations as well, depending on the jurisdiction and court. For example, in evaluating whether communications with a public relations firm should remain privileged pursuant to what is known as the Kovel doctrine,9 the courts in Behunin v. Superior Court10 and BouSamra v. Excela Health11 said that the parties asserting privilege did not prove that disclosing the privileged documents was necessary for rendering legal advice and determined that disclosure to the public relations firm waived the privilege.
In contrast, in Grand Canyon Skywalk Development LLC v. Cieslak,12 in which counsel for the Hualapai Tribe hired a public relations firm “to protect the name of the tribe and make it look more reasonable in the eyes of the public,” the court concluded that there was “little doubt” the firm should be treated as a functional employee.13 Likewise, courts faced with arguments that communications between counsel and an independent consultant “landman” and between counsel and a human resources consultant arrived at opposite conclusions in Endeavor Energy Resources LP v. Gatto & Reitz14 and Scott v. Chipotle Mexican Grill Inc.,15 respectively.
Waiver by Voluntary Disclosure
Pursuant to the existing framework, disclosure to third parties may waive protection, depending in part on the jurisdiction. For example, even disclosure within a company may result in waiver depending on the applicable law. In “control group” jurisdictions, only communications between those in the control group and counsel are protected, so disclosure to an IT analyst could possibly be construed as a waiver. In contrast, in non-control group jurisdictions, it is unlikely that disclosure to IT specialists or other employees investigating and handling a breach would be found to be a waiver.
Typically, disclosure to a person or entity in pursuit of a common legal goal or concerning a matter of mutual legal concern will not constitute a waiver.16 Accordingly, disclosure of privileged cybersecurity information generated post-breach to other entities sharing a common interest, joint defense or joint representation, such as insurance brokers, affiliates or parties whose data may have been involved in the security breach, will not waive the attorney-client privilege or work-product protection under most situations.
Sedona perceives a particular threat to protection when parties are requested or forced to provide cybersecurity information to law enforcement or other agencies. Some courts have endorsed the concept of a “selective waiver” when reports generated by counsel, even with the assistance of third-party vendors, are disclosed to an agency but continue to be protected by attorney-client privilege or work-product protections for other purposes.17
Other courts, however, have rejected the limitation, holding that disclosure to an agency, even if pursuant to a subpoena, waives the attorney-client privilege.18 Assuming there has been a waiver, the parties are at the mercy of the jurisdiction and particular court as the court must then decide the scope of the waiver, and whether the broader subject matter waiver applies.19
Outside the cybersecurity information field, courts continue to analyze the extent of disclosure of non-cybersecurity information internal investigation reports to regulatory agencies or in discovery to determine if waiver has occurred and, if so, the scope of that waiver. In Banneker Ventures LLC v. Graham20 and Wadler v. Bio-Rad Laboratories Inc.,21 the courts found subject matter waiver because the companies had selectively used or produced portions of the internal investigation report and interview notes.
Yet in In re GM LLC Ignition Switch Litigation,22 the court concluded a company did not waive attorney-client privilege or work-product protection of interview materials relating to an internal investigation, even though a written report on the investigation was produced to the plaintiffs in a multi-district litigation as part of discovery and also submitted to Congress and the U.S. Department of Justice after a product recall.
Likewise, in Freedman v. Weatherford International Ltd., when a company disclosed to the U.S. Securities and Exchange Commission details and factual conclusions regarding an audit committee investigation, the court declined to hold in related litigation that there was subject matter waiver as to all other investigational documents.23
To address the growing importance of cybersecurity to society, Sedona proposes two reforms designed to realign incentives.
First, Sedona proposes a qualified stand-alone cybersecurity privilege modeled on the work-product protection. This privilege would protect materials prepared in anticipation of, or in response to, a cybersecurity threat, subject to an exception when a party can show substantial need and cannot obtain the materials elsewhere. The scope of information protected under the qualified stand-alone privilege would be narrow, limited to the mental impressions, conclusions, opinions, assessments, evaluations or theories of a person or its representative concerning cybersecurity.
Second, Sedona proposes a statutory selective waiver that would enable a litigant to disclose cybersecurity information to law enforcement or other agencies without waiver of protection otherwise.
Because the stand-alone privilege would apply only to “materials prepared in anticipation of or in response to a cybersecurity threat,” parties seeking to shield prebreach cybersecurity information will bear the burden of establishing the existence of a “cybersecurity threat.”
Parties seeking discovery of prebreach cybersecurity information, then, would argue the cybersecurity information is standard monitoring and auditing of the company’s security safeguards, and not created in response to a particular threat; similarly, companies seeking to shield the cybersecurity information may overreach, designating nearly all such activities as performed in anticipation of a cybersecurity threat.
Courts would need to decide how immediate the threat must be for the privilege to apply. If steps taken in response to the shielded audit or assessment prevent a breach, would the materials still be protected? Additionally, courts would have to determine what constitutes “mental impressions, conclusions, opinions, assessments, evaluations or theories” of nonlawyers.
While the attorney-client privilege and work-product protection have been tested and refined over decades, application of a novel privilege would necessarily be in a vacuum. Inconsistent applications by courts would risk multiplying uncertainty, spawning subsidiary litigation over whether a communication or document qualifies as cybersecurity information, or whether a communication is, in fact, an opinion rather than a mere recitation of facts.
Further, because cybersecurity information might also arguably be protected by the traditional attorney-client privilege or as attorney work product, courts would have additional opportunities to reach inconsistent results. Further, the creation of a new basis upon which a party may withhold information may spawn additional discovery disputes.
Operation of the proposed statutory selective waiver may be more straightforward assuming sufficient justification for the disclosure of the cybersecurity information to law enforcement. However, the temptation to cite any favorable action by the agency as a defense in ensuing litigation might result in an unfair advantage for the party seeking to shield the cybersecurity information.
In the traditional privilege analysis, courts considering the issue have relied heavily on considerations of fairness, looking at whether one party has selectively disclosed information for strategic advantage, unjustly turning the shield of privilege into a sword against an opponent.24 In the absence of specific guidelines as to how the proposed statutory selective waiver will work, the courts will be creating new law in a vacuum.
Unquestionably, the current framework of case law and rules governing attorney-client privilege and work-product protection results in disparate rulings depending on the jurisdiction and court not only for cybersecurity information but also other information.
To secure protection for cybersecurity information would be a step in the right direction, but would only address one aspect of the larger issue. Attorney-client privilege and work-product protection of cybersecurity information, like that of any category of documents or information, is fact-specific and turns on a number of factors, many of which simply do not fit the way that companies conduct their IT infrastructure activities.
Sedona highlights an issue that troubles all litigants no matter what the subject matter, and so perhaps reform efforts would better be directed more broadly. Similarly, clear guidance and uniform protection against waiver resulting from cooperation with law enforcement agencies across all subject matters would serve the public good.
1 The Sedona Conference comprises jurists, lawyers, academics and other experts dedicated to the advanced study of law and policy with the mission to move the law forward in a reasoned and just way.
2 In re Denture Cream Products Liability Litigation, No. 09-2051, 2012 WL 5057844, at *15 (S.D. Fl. Oct. 18, 2012).
3 In re Premera Blue Cross Customer Data Security Breach Litigation, 296 F. Supp. 3d 1230 (D. Or. 2017).
4 Id. See also In re Premera Blue Cross Customer Data Security Breach Litig. (Premera II), 329 F.R.D. 656 (D. Or. Feb. 6, 2019) (court clarified documents to and from attorney seeking legal advice, or drafted at attorney’s request, would be privileged).
5 In re Target Corp. Customer Data Security Breach Litigation, 2015 U.S. Dist. LEXIS 151974 (D. Minn. Oct. 23, 2015).
6 Id. at *6.
7 Id. at *11.
8 In re Experian Data Breach Litigation, 2017 U.S. Dist. LEXIS 162891 (C.D. Cal. May 18, 2017) (where Experian immediately hired outside counsel post-breach, who then brought the third-party vendor on to investigate and assist counsel in providing legal advice, report and communications were privileged).
9 United States v. Kovel, 296 F.2d 918, 922-23 (2d Cir. 1961) (holding that when an expert is necessary for counsel to provide legal advice, the privilege may extend to communications with the expert).
10 Behunin v. Superior Court, 9 Cal.App.5th 833, 215 Cal.Rptr.3d 475 (App. 2d Dist. 2017), review denied, 2017 Cal. LEXIS 4395.
11 BouSamra v. Excela Health,167 A.3d 728 (Pa. Super. 2017), petition for allowance of appeal granted, 179 A.3d 1079 (Pa. 2018).
12 Grand Canyon Skywalk Dev. LLC v. Cieslak, Nos. 15-01189, 13-00596, 2015 U.S. Dist. LEXIS 107457 (D. Nev. Aug. 13, 2015).
13 Id. at *39-40 (court found “no evidence that [the public relations firm] undertook to provide general public relations services to the Tribe” beyond the legal dispute.)
14 Endeavor Energy Resources LP v. Gatto & Reitz, No. 2:13CV542, 2017 U.S. Dist. LEXIS 48715 (W.D. Pa. 2017) (contract landman “easily qualifies” as the functional equivalent of an employee, noting landman was routinely performing same work as employees).
15 Scott v. Chipotle Mexican Grill, Inc., 94 F. Supp. 3d 585 (S.D.N.Y. 2015) (report provided no specialized knowledge that attorney could not have acquired or understood on his own; defendant’s own HR team could have performed analysis).
16 Sedona Commentary at 34 (citing In re Teleglobe Commc’ns Corp., 493 F.3d 345, 370 (3d Cir. 2007)).
17 See Diversified Indus. v. Meredith, 572 F.2d. 596 (8th Cir. 1978).
18 See In re Columbia/HCA Healthcare Billing Practices Litig., 293 F.3d 289, 307 (6th Cir. 2002) and cases cited and discussed therein.
19 Premera I, 296 F. Supp. 3d at 1249; see also comments to Fed. R. Civ. P. 502 ( “subdivision (a) provides that if a waiver is found, it applies only to the information disclosed, unless a broader waiver is made necessary by the holder’s intentional and misleading use of privileged or protected communications or information.”).
20 Banneker Ventures, LLC v. Graham, 253 F. Supp. 3d 64 (D.D.C. May 16, 2017).
21 Wadler v. Bio-Rad Laboratories Inc., 212 F. Supp. 3d 829 (N.D. Cal. 2016).
22 In re GM LLC Ignition Switch Litig., 80 F. Supp. 3d 521 (S.D.N.Y. 2015).
23Freedman v. Weatherford International Ltd., 2014 U.S. Dist. LEXIS 102248 (S.D.N.Y. July 25, 2014).
24 Compare Banneker Ventures, n.19, with In re GM LLC Ignition Switch Litig., n.22.
Matthew Hamilton and Donna Fisher are members of Pepper Hamilton’s Health Sciences Department, a team of 110 attorneys who collaborate across disciplines to solve complex legal challenges confronting clients throughout the health sciences spectrum.
The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.